Building Survivable Systems: An Integrated Approach based on Intrusion Detection and Damage Containment

Reliance on networked information systems to support critical infrastructures prompts interest in making network information systems survivable, so that they continue functioning even when under attack. To build survivable systems, attacks must be detected and reacted to before they impact performance or functionality. Previous survivable systems research focussed primarily on detecting intrusions, rather than on preventing or containing damage due to intrusions. We have therefore developed a new approach that combines early attack detection with automated reaction for damage prevention and containment, as well as tracing and isolation of attack origination point(s). Our approach is based on specifying security-relevant behaviors using patterns over sequences of observable events, such as a process’s system calls and their arguments, and the contents of network packets. By intercepting actual events at runtime and comparing them to specifications, attacks can be detected and operations associated with the deviant events can be modified to thwart the attack. Being based on security-relevant behaviors rather than known attack signatures, our approach can protect against unknown attacks. At the same time, our approach produces few false positives – a property that is critical for automating reactions. Our host-based mechanisms for attack detection and isolation coordinate with network routers enhanced with active networking technology in order to trace the origin of the attack and isolate the attacker.